Microsoft Releases Out of Band Security Update for .NET Framework

Microsoft likes its security updates to be predictable and regular, which is why it has used its so-called Patch Tuesday events each month to provide individual and business customers with updates. But every once in a while there's a security issue that's too serious to ignore. So Microsoft will issue an out of band update, that is, an update that falls outside of the normal monthly schedule. And it's done just that, today, releasing a fix for four .NET vulnerabilities that can result in Denial of Service (DoS) attacks.

"Microsoft is currently unaware of any attacks targeting [this exploit], but we encourage affected customers to test and deploy the update as soon as possible," a note from the software giant reads. "Consumers are not vulnerable unless they are running a web server from their computer."

The issue is described as Vulnerabilities in .NET Framework Could Allow Elevation of Privilege, and is covered by Microsoft Security Bulletin MS11-100. The fix covers four individual vulnerabilities, one public and three that were reported privately to Microsoft. It impacts .NET Framework 1.1 Service Pack 1, .NET Framework 2.0 Service Pack 2, .NET Framework 3.5 Service Pack 1, .NET Framework 3.5.1, and .NET Framework 4 on all supported editions of Microsoft Windows, and is rated critical. (Obviously.)

According to Microsoft, the the update "addresses the vulnerabilities by correcting how the .NET Framework handles specially crafted requests, and how the ASP.NET Framework authenticates users and handles cached content."

Microsoft says most customers won't need to take any action at all because they have automatic updating enabled and this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating will want to manually check for updates and install this update immediately.